(Revised January
6, 1996)
A few years ago, the phrase crypto anarchy was coined to suggest the impending
arrival of a Brave New World in which governments, as we know them, have
crumbled, disappeared, and been replaced by virtual communities of individuals
doing as they wish without interference. Proponents argue that crypto anarchy
is the inevitable -- and highly desirable -- outcome of the release of public
key cryptography into the world. With this technology, they say, it will
be impossible for governments to control information, compile dossiers,
conduct wiretaps, regulate economic arrangements, and even collect taxes.
Individuals will be liberated from coercion by their physical neighbors
and by governments. This view has been argued recently by Tim May [1].

Behind the anarchists' vision is a belief that a guarantee
of absolute privacy and anonymous transactions would make for a civil
society based on a libertarian free market. They ally themselves with
Jefferson and Hayek who would be horrified at the suggestion that a society
with no government control would be either civil or free. Adam Ferguson
once said "Liberty or Freedom is not, as the origin of the name may
seem to imply, an exemption from all restraints, but rather the most effectual
applications of every just restraint to all members of a free society
whether they be magistrates or subjects." Hayek opens The Fatal Conceit,
The Errors of Socialism (The University of Chicago Press, 1988, ed. W.W.
Bartley III) with Ferguson's quote.

Although May limply asserts that anarchy does not mean
lawlessness and social disorder, the absence of government would lead
to exactly these states of chaos.

I do not want to live in an anarchistic society --
if such could be called a society at all -- and I doubt many would. A
growing number of people are attracted to the market liberalism envisioned
by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto
anarchists' claims come close to asserting that the technology will take
us to an outcome that most of us would not choose.

This is the claim that I want to address here. I do not accept crypto
anarchy as the inevitable outcome. A new paradigm of cryptography, key
escrow, is emerging and gaining acceptance in industry. Key escrow is
a technology that offers tools that would assure no individual absolute
privacy or untraceable anonymity in all transactions. I argue that this
feature of the technology is what will allow individuals to choose a civil
society over an anarchistic one. I will review this technology as well
as what it will take to avoid crypto anarchy. First, however, I will review
the benefits, limitations, and drawbacks of cryptography and current trends
leading toward crypto anarchy.

Cryptography's Benefits, Limitations, and Drawbacks

The benefits of cryptography are well recognized. Encryption can protect
communications and stored information from unauthorized access and disclosure.
Other cryptographic techniques, including methods of authentication and
digital signatures, can protect against spoofing and message forgeries.
Practically everyone agrees that cryptography is an essential information
security tool, and that it should be readily available to users. I take
this as a starting assumption and, in this respect, have no disagreement
with the crypto anarchists.

Less recognized are cryptography's limitations. Encryption is often oversold
as the solution to all security problems or to threats that it does not
address. For example, the headline of Jim Warren's op-ed piece in the
San Jose Mercury News reads "Encryption could stop computer crackers"
[2]. Unfortunately, encryption offers no such aegis. Encryption does nothing
to protect against many common methods of attack including those that
exploit bad default settings or vulnerabilities in network protocols or
software -- even encryption software. In general, methods other than encryption
are needed to keep out intruders. Secure Computing Corporation's Sidewinder[TM]
system defuses the forty-two "bombs" (security vulnerabilities)
in Cheswick and Bellovin's book, Firewalls and Network Security (Addison
Wesley, 1994), without making use of any encryption [3].

Moreover, the protection provided by encryption can be illusory. If the
system where the encryption is performed can be penetrated, then the intruder
may be able to access plaintext directly from stored files or the contents
of memory or modify network protocols, application software, or encryption
programs in order to get access to keys or plaintext data or to subvert
the encryption process. For example, PGP (Pretty Good Privacy) could be
replaced with a Trojan horse that appears to behave like PGP but creates
a secret file of the user's keys for later transmission to the program's
owner much like a Trojan horse login program collects passwords. A recent
penetration study of 8932 computers by the Defense Information Systems
Agency showed 88% of the computers could be successfully attacked. Using
PGP to encrypt data transmitted from or stored on the average system could
be like putting the strongest possible lock on the back door of a building
while leaving the front door wide open. Information security requires
much more than just encryption -- authentication, configuration management,
good design, access controls, firewalls, auditing, security practices,
and security awareness training are a few of the other techniques needed.

The drawbacks of cryptography are frequently overlooked as well. The widespread
availability of unbreakable encryption coupled with anonymous services
could lead to a situation where practically all communications are immune
from lawful interception (wiretaps) and documents from lawful search and
seizure, and where all electronic transactions are beyond the reach of
any government regulation or oversight. The consequences of this to public
safety and social and economic stability could be devastating. With the
government essentially locked out, computers and telecommunications systems
would become safe havens for criminal activity. Even May himself acknowledges
that crypto anarchy provides a means for tax evasion, money laundering,
espionage (with digital dead drops), contract killings, and implementation
of data havens for storing and marketing illegal or controversial material.
Encryption also threatens national security by interfering with foreign
intelligence operations. The United States, along with many other countries,
imposes export controls on encryption technology to lessen this threat.

Cryptography poses a threat to organizations and individuals too. With
encryption, an employee of a company can sell proprietary electronic information
to a competitor without the need to photocopy and handle physical documents.
Electronic information can be bought and sold on "black networks"
such as Black-Net [1] with complete secrecy and anonymity -- a safe harbor
for engaging in both corporate and government espionage. The keys that
unlock a corporation's files may be lost, corrupted, or held hostage for
ransom, thus rendering valuable information inaccessible.

When considering the threats posed by cryptography, it is important to
recognize that only the use of encryption for confidentiality, including
anonymity, presents a problem. The use of cryptography for data integrity
and authentication, including digital signatures, is not a threat. Indeed,
by strengthening the integrity of evidence and binding it to its source,
cryptographic tools for authentication are a forensic aid to criminal
investigations. They also help enforce accountability. Because different
cryptographic methods can be employed for confidentiality and authentication,
any safeguards that might be placed on encryption to counter the threats
need not affect authentication mechanisms or system protocols that rely
on authentication to protect against system intrusions, forgeries, and
substitution of malicious code.

The Drift Toward Crypto Anarchy

Crypto anarchy can be viewed as the proliferation of cryptography that
provides the benefits of confidentiality protection but does nothing about
its harms. It is government-proof encryption which denies access to the
government even under a court order or other legal order. It has no safeguards
to protect users and their organizations from accidents and abuse. It
is like an automobile with no brakes, no seat belts, no pollution controls,
no license plate, and no way of getting in after you've locked your keys
in the car.

The crypto anarchist position is that cyberspace is on a non-stop drift
toward crypto anarchy. Powerful encryption algorithms, including the Data
Encryption Standard (DES), triple-DES, RSA, and IDEA are readily available
at no charge through Internet servers as stand-alone programs or as part
of packages providing file or electronic mail encryption and digital signatures.
Among these, PGP, which uses RSA and IDEA for encrypting files and electronic
mail messages, has become particularly popular. Software that will turn
an ordinary PC into a secure phone is posted on the Internet for free
downloading. These systems have no mechanisms for accommodating authorized
government decryption. Export controls have little effect as the programs
can be posted in countries that have no such controls.

In addition to the free encryption programs being distributed on the net,
encryption is becoming a basic service integrated into commercial applications
packages and network products. The IP Security Working Group of the Internet
Engineering Task Force has written a document that calls for all compliant
IPv6 (Internet Protocol, version 6) implementations to incorporate DES
cryptography.

Anonymous remailers, which allow users to send or post messages without
disclosing their identity or host system, have also become popular on
the Internet. May reports that there are about 20 cypherpunk-style remailers
on the Internet, with more being added monthly. These remailers allow
unlimited nesting of remailing, with PGP encryption at each nesting level.
Anonymous digital cash, which would provide untraceability of electronic
payments, is on the horizon.

The potential harms of cryptography have already begun to appear. As the
result of interviews I conducted in May, 1995, I found numerous cases
where investigative agencies had encountered encrypted communications
and computer files. These cases involved child pornography, customs violations,
drugs, espionage, embezzlement, murder, obstruction of justice, tax protestors,
and terrorism. At the International Cryptography Institute held in Washington
in September, 1995, FBI Director Louis Freeh reported that encryption
had been encountered in a terrorism investigation in the Philippines involving
an alleged plot to assassinate Pope John Paul II and bomb a U.S. airliner
[4].

AccessData Corp., a company in Orem, Utah which specializes in providing
software and services to help law enforcement agencies and companies recover
data that has been locked out through encryption, reports receiving about
a dozen and a half calls a day from companies with inaccessible data.
About one-half dozen of these calls result from disgruntled employees
who left under extreme situations and refused to cooperate in any transitional
stage by leaving necessary keys (typically in the form of passwords).
Another half dozen result from employees who died or left on good terms,
but simply forgot to leave their keys. The third half dozen result from
loss of keys by current employees.

The Emergence of Key Escrow as an Alternative

The benefits of strong cryptography can be realized without following
the crypto anarchy path to social disorder. One promising alternative
is key escrow encryption, also called escrowed encryption [5]. The idea
is to combine strong encryption with an emergency decryption capability.
This is accomplished by linking encrypted data to a data recovery key
which facilitates decryption. This key need not be (and typically is not)
the one used for normal decryption, but it must provide access to that
key. The data recovery key is held by a trusted fiduciary, which could
conceivably be a governmental agency, court, or trusted and bonded private
organization. A key might be split among several such agencies. Organizations
registered with an escrow agent can acquire their own keys for emergency
decryption. An investigative or intelligence agency seeking access to
communications or stored files makes application through appropriate procedures
(which normally includes getting a court order) and, upon compliance,
is issued the key. Legitimate privacy interests are protected through
access procedures, auditing, and other safeguards.

In April, 1993, as response to a rising need for and use of encryption
products, the Clinton Administration announced a new initiative to promote
encryption in a way that would not prohibit lawful decryption when investigative
agencies are authorized to intercept communications or search computer
files [6]. Government agencies were directed to develop a comprehensive
encryption policy that would accommodate the privacy and security needs
of citizens and businesses, the ability of authorized government officials
to access communications and data under proper court or other legal order,
the effective and timely use of modern technology to build the National
Information Infrastructure, and the need of U.S. companies to manufacture
and export high technology products. The goal was not to prevent citizens
from having access to encryption or "to stigmatize cryptography as
something only criminals would use" [7]. As part of this encryption
initiative, the government developed an escrowed encryption chip called
the Clipper Chip.

Each Clipper Chip has a unique key that is programmed onto the chip and
used to recover data encrypted by that chip. This key is split into two
components, and the two components are held by two separate government
agencies: the National Institute of Standards and Technology and the Department
of Treasury Automated Systems Division. Clipper's data encryption algorithm,
Skipjack, is a classified algorithm designed by the National Security
Agency [8]. It has a key size of 80 bits. The general specifications for
the Clipper Chip were adopted in February, 1994, as the Escrowed Encryption
Standard (EES) [9], which is a voluntary government standard for telephone
communications, including voice, fax, and data. Implementations of the
EES are required to use tamper-resistant hardware in order to protect
the classified algorithms. The chip and associated key escrow system have
been designed with extensive safeguards, including two person control
and auditing, to protect against any unauthorized use of keys [10]. Clipper's
key escrow system does not provide user data recovery services.

The National Security Agency also designed a more advanced chip called
Capstone as part of the Multilevel Information System Security Initiative
(MISSI). Capstone implements the EES plus algorithms for the Digital Signature
Standard (DSS) and for establishing session keys. It has been embedded
in the Fortezza card (a PCMCIA card) where it is used to provide the cryptographic
services needed for communications and file security. The private keys
used for key establishment and digital signatures, which are stored on
the Fortezza card, are not stored in Clipper's key escrow system. They
are, however, escrowed with the user's public-key certificate authority
so that they can be recovered in case the card becomes corrupted. This
allows encrypted files and previously received electronic mail messages
to be read. Fortezza cards are available with or without a modem capability.
The modem cards allow encryption and decryption to be performed as part
of the communications protocols or as independent service calls (e.g.,
for encrypting the content of an e-mail message or file).

The government has not been alone in its pursuit of key escrow technology.
Some type of key escrow is a feature or option of several commercial products
including Fisher Watchdog®, Nortel's Entrust, PC Security Stoplock
KE, RSA Secure[TM], and TECSEC Veil[TM]. Escrowing is done within the
user's organization and serves primarily to protect against data loss.

Several companies have proposed designs for commercial key escrow systems
where the escrow agents could be trusted third parties that provide emergency
decryption services for both registered users and authorized government
officials. Such escrow agents might be licensed, with licenses granted
to organizations demonstrating the capability to administer key escrow
encryption and safeguard keys and other sensitive information. Some of
the proposed systems have been designed with the objective of being suitable
for international use.

One such example is a proposal from Bankers Trust for an international
commercial key escrow system for secure communications [11]. Their proposal
uses a combination of hardware and software, unclassified algorithms,
and public-key cryptography for key establishment and key escrow functions.
Each user has a trusted encryption device, a public-private signature
key pair, and a public-private encryption key pair that is used for establishing
session keys and for data recovery. The private encryption keys are escrowed
through a device registration process, and may be split among several
escrow agents.

Trusted Information Systems (TIS) has proposed a commercial software key
escrow system intended primarily for file encryption [12]. A commercial
entity serves as a key escrow agent and operates a data recovery center.
To use the services of a particular center, a user must register with
the center. Emergency decryption is possible through a key that is private
to the center. The key is not released to users or the government; instead,
the center participates in the decryption of each file that is encrypted
under a distinct file encryption key. TIS would franchise their data recovery
centers to interested organizations. National Semiconductor and TIS have
jointly proposed Commercial Automated Key Escrow (CAKE), which combines
a CAKE-enabled PersonaCard[TM] token (National's PCMCIA cryptographic
card) with a TIS data recovery center [13]. The goal is an exportable,
strong encryption alternative using accepted public encryption algorithms
such as DES, triple DES, and RSA.

Under current U.S. export regulations, encryption products with key lengths
greater than 40 bits are not generally exportable when used for confidentiality
protection. One of the attractions of key escrow encryption is that by
providing a mechanism for authorized government decryption, it can enable
the export of products with strong encryption. For example, Clipper/Capstone
devices are generally exportable, even though the encryption algorithm
is strong and uses 80-bit keys. Commercial key escrow approaches that
use some form of hardware token are good candidates for export as they
can provide reasonable protection against modifications to bypass the
key escrow functions. The Bankers Trust and National/TIS proposals take
that approach. Fortress U & T, Ltd. also has proposed a token-based
approach to key escrow [14].

Hardware encryption generally offers greater security than software. Nevertheless,
there is a large market for software encryption. On August 17, 1995, the
Clinton Administration announced a proposal to allow ready export of software
encryption products with key lengths up to 64 bits when combined with
an acceptable key escrow capability. This policy would allow export of
DES, for example, which uses 56-bit keys, but not triple DES. Keys would
be held by government-approved trusted parties within the private sector,
where they would support both user data recovery and legitimate government
decryption. The proposal, which is still undergoing refinement as of December,
is expected to be implemented in early 1996.

Key escrow encryption has been a topic of growing interest in the research
community. Most of this work is reviewed in [5]. Silvio Micali's proposal
for "fair cryptosystems" [15] has influenced several designs
including the Bankers Trust proposal. Karlsruhe University's TESS system
uses smart cards for user keys which are escrowed [16]. A proposal from
Royal Holloway integrates escrow with the trusted third parties that serve
as certificate authorities [17].

Some type of escrow facility might be used to control anonymity services
as well as encryption. For example, escrow could be used with digital
cash and anonymous remailers to ensure traceability when there is a court
order or other legal authorization for information about the originator
of a transaction. Ernie Brickell, Peter Gemmell, and David Kravitz propose
a system for electronic cash that would incorporate trustee-based tracing
in an otherwise anonymous cash system [18].

Alternatives to Key Escrow

Key escrow is not the only way of accommodating authorized government
access. Another approach is weak encryption. The data encryption keys
are short enough that a key can be determined by trying all possibilities.
From the user's perspective, key escrow encryption has an advantage over
weak encryption of allowing the use of strong encryption algorithms that
are not vulnerable to attack. However, for applications where such a high
level of security is not needed, weak encryption offers a less costly
alternative. A disadvantage of weak encryption (unless it is extremely
weak) from a law enforcement perspective is that it can preclude real-time
decryption in an emergency situation (e.g., kidnaping).

A third approach is link encryption. Communications are encrypted between
network nodes but not across nodes. Thus, plaintext communications can
be accessed in the network switching nodes. One major advantage of link
encryption is that it allows someone with a cellular phone to protect
the over-the-air connection into the phone system without requiring that
the other party have a compatible encryption device or, indeed, use any
encryption at all. Global System for Mobile (GSM), a world-wide standard
for mobile radio telecommunications, encrypts communications transmitted
over the radio link, but they are decrypted before being transmitted through
the rest of the network. The disadvantage of link encryption is that plaintext
data are exposed in, potentially, many intermediate nodes. By contrast,
key escrow encryption can support secure end-to-end encryption.

Crypto Anarchy is Not Inevitable

In the United States, there are no restrictions on the import, manufacture,
or use of cryptographic products (except that government agencies are
required to use government standards). The question is: Are such controls
needed or will voluntary key escrow, combined with weak encryption and
link encryption where appropriate, be sufficient to avoid crypto anarchy?

Several factors will facilitate the adoption of key escrow. Because key
escrow products will be exportable, under appropriate conditions, vendors
will have a strong incentive to adopt key escrow, as it will enable them
to integrate strong cryptography into a single product line for both domestic
and international sales. Currently, vendors must either install weak cryptography,
which does not meet the needs of many customers, or develop two sets of
products, which greatly increases costs and prohibits interoperability
between domestic and foreign customers. Users will have an incentive to
purchase key escrow products, because such products will protect them
against lost or damaged keys. The government's own commitment to key escrow
will ensure a large market for escrowed encryption products. As the market
develops, many users will choose key escrow products in order to communicate
with those using such products. Concern over the social consequences of
crypto anarchy will also motivate some people to develop or use key escrow
products. Finally, the adoption of key escrow might be facilitated by
legislation that would specify the qualifications, responsibilities, and
liabilities of government-approved escrow agents. This legislation could
define unlawful acts relating to the compromise or abuse of escrowed keys
(e.g., deliberately releasing a key to someone who is not authorized to
receive it). Such legislation could ensure that at least approved escrow
agents satisfy the requirements of users and the government. It also could
allay the privacy concerns of those using approved escrow agents.

International interest is key escrow will also contribute to its success.
There is growing recognition on the part of governments and businesses
worldwide of the potential of key escrow to meet the needs of both users
and law enforcement. In addition to providing confidentiality and emergency
backup decryption, escrowed encryption is seen as a way of overcoming
export restrictions, common to many countries, which have limited the
international availability of strong encryption in order to protect national
security interests. With key escrow, strong exportable cryptography can
be standardized and made available internationally to support the information
security needs of international business. Key escrow could be a service
provided by trusted parties that manage the public-key infrastructure
and issue X.509 certificates. Some products and proposals for key escrow
use this approach

At a meeting sponsored by the Organization for Economic Development (OECD)
and the International Chamber of Commerce (ICC) in December, 1995 in Paris,
representatives from the international business community and member governments
agreed to work together to develop encryption policy guidelines based
on agreed upon principles that accommodate their mutual interests. The
INFOSEC Business Advisory Group (IBAG) issued a statement of seventeen
principles that they believe can form the basis of a detailed agreement
[19]. IBAG is an association of associations (mostly European) representing
the information security interests of users.

The IBAG principles acknowledge the right of businesses and individuals
to protect their information and the right of law-abiding governments
to intercept and lawfully seize information when there is no practical
alternative. Businesses and individuals would lodge keys with trusted
parties who would be liable for any loss or damage resulting from compromise
or misuse of those keys. The trusted parties could be independently accredited
entities or accredited entities within a company. The keys would be available
to businesses and individuals on proof of ownership and to governments
and law enforcement agencies under due process of law and for a limited
time frame. The process of obtaining and using keys would be auditable.
Governments would be responsible for ensuring that international agreements
would allow access to keys held outside national jurisdiction. The principles
call for industry to develop open voluntary, consensus, international
standards and for governments, businesses, and individuals to work together
to define the requirements for those standards. The standards would allow
choices about algorithm, mode of operation, key length, and implementation
in hardware or software. Products conforming to the standards would not
be subject to restrictions on import or use and would be generally exportable.

EUROBIT (European Association of Manufacturers of Business Machines and
Information Technology Industry), ITAC (Information Technology Industry
Association of Canada), ITI (Information Technology Industry Council,
U.S.), and JEIDA (Japan Electronic Industry Development Association) also
issued a statement of principles for global cryptography policy at the
OECD meeting [20]. The quadripartite group accounts for more than 90%
of the worldwide revenue in information technology. Acknowledging the
needs of both users and governments, their principles call for harmonization
of national cryptography policies and industry-led international standards.

It is conceivable that domestic and international efforts will be sufficient
to avoid crypto anarchy, particularly with support from the international
business community. However, it is possible that they will not be enough.
Many companies are developing products with strong encryption that do
not accommodate government access, standards groups are adopting non-key
escrow standards, and software encryption packages such as PGP are rapidly
proliferating on the Internet, which is due, in part, to the crypto anarchists
whose goal is to lock out the government. Since key escrow adds to the
development and operation costs of encryption products, the price advantage
of unescrowed encryption products could also be a factor which might undermine
the success of a completely voluntary approach. If escrow is integrated
into the public-key infrastructure, however, cost might not be a significant
factor.

Considering the explosive growth of telecommunications and the encryption
market, it will be necessary to closely watch the impact of encryption
on law enforcement. If government-proof encryption begins to seriously
undermine the ability of law enforcement agencies to carry out their missions
and fight organized crime and terrorism, then legislative controls over
encryption technology may be desirable. One possibility would be to license
encryption products but not their use. Licenses could be granted only
for products that reasonably satisfy law enforcement and national security
requirements for emergency decryption and provide privacy protections
for users. The exact requirements might be those that evolve from the
current efforts of the OECD and international business community to develop
common principles and standards. The manufacture, distribution, import,
and export of unlicensed encryption products would be illegal, but no
particular method of encryption would be mandated. Individuals would be
allowed to develop their own encryption systems for personal or educational
use without obtaining licenses, though they could not distribute them
to others. France and Russia have adopted licensing programs, though of
a somewhat different nature. Both countries require licenses to use encryption.

Under this licensing program, commercial encryption products, including
programs distributed through public network servers, would comply with
government regulations. These products would not support absolute privacy
or completely anonymous transactions. Mainstream applications would assure
accountability and protect societal and organizational interests. Although
non-compliant products might be distributed through underground servers
and bulletin boards, such products would not interoperate with licensed
ones, so their use would be limited.

Such an approach would not prevent the use of government-proof encryption
products by criminals and terrorists. They could develop their own or
acquire the products illegally. But an approach of this type would make
it considerably more difficult than it is at present. Had such controls
been adopted several years ago -- before programs such as DES and PGP
were posted on the Internet -- the encryption products on the market today
would support key escrow or some other method for government access. It
would not be possible to acquire strong, government-proof encryption from
reputable vendors or network file servers. The encryption products available
through underground servers and the black market would most likely not
possess as high a quality as products developed through the legitimate
market. Underground products could have security vulnerabilities or be
less user friendly. They would not be integrated into standard applications
or network software.

Summary

Crypto anarchy is an international threat which has been stimulated by
international communications systems including telephones and the Internet.
Addressing this threat requires an international approach that provides
for both secure international communications crossing national boundaries
and electronic surveillance by governments of criminal and terrorist activity
taking place within their jurisdictions. The adoption of an international
approach is critical in order to avoid a situation where the use of encryption
seriously endangers the ability of law enforcement agencies, worldwide,
to fight terrorism and crime. The result will not be worldwide suppression
of communications and encryption tools, as May asserts, but rather the
responsible use of such tools lest they lead to social disorder. Our information
superways require responsible conduct just as our interstate highways
require.

Key escrow encryption has emerged as one approach that can meet the confidentiality
and data recovery needs of organizations while allowing authorized government
access to fight terrorism and crime. It can facilitate the promulgation
of standards and products that support the information security requirements
of the global information infrastructure. The governments of the OECD
nations are working with the international business community to find
specific approaches that are mutually agreeable.

5. For a description of the characteristics of key escrow encryption systems
and different proposals, see Dorothy E. Denning and Dennis K. Branstad,
"A Taxonomy of Key Escrow Encryption," Comm. of the ACM, to
appear in March, 1996. More detailed descriptions of 30 systems can be
found through http://www.cosc.georgetown.edu/~denning/crypto. See also
Dorothy E. Denning, "Key Escrow Encryption: The Third Paradigm,"
Computer Security Journal, Summer, 1995 and Dorothy E. Denning, "Critical
Factors of Key Escrow Encryption Systems," Proc. National Information
Systems Security Conf., Oct. 1995.

8. Because the algorithm is classified and not open to public review,
outside experts were invited to examine the algorithm and report their
findings to the public. See Ernest F. Brickell, Dorothy E. Denning, Stephen
T. Kent, David P. Maher, and Walter Tuchman, "The SKIPJACK Review,
Interim Report: The SKIPJACK Algorithm," July 28, 1993; available
through http://www.cosc.georgetown.edu/~denning/crypto

10. For a technical description of the Clipper Chip and its key escrow
system, see Dorothy E. Denning and Miles Smid, "Key Escrowing Today,"
IEEE Communications, Vol. 32, No. 9, Sept. 1994, pp. 58-68. For a less
technical description and discussion of some of the issues surrounding
Clipper, see Dorothy E. Denning, "The Case for Clipper," MIT
Technology Review, July 1995, pp. 48-55. Both articles can be accessed
through http://www.cosc.georgetown.edu/~denning/crypto